OpenSSL Certificate issue

[Paul Kraus]

> On 1/10/13 12:49 PM, Paul Kraus wrote:
>> On Jan 10, 2013, at 12:38 PM, Greg Larkin wrote:
>> 
>>> It looks like you don't have the Gmail certificate installed
>>> locally, unless I'm mistaken.
>> 
>> I do not need to have the Google cert installed as long as I have
>> the Root Cert that signed it installed, and I do have that cert.
>> The fact that I can point to the certificate file itself and the
>> test connection works fine shows that I have the correct cert file.
>> I agree that it is probably NOT installed correctly, but ...
>> 
>>> Check the instructions here, and let us know if that fixes the
>>> problem for you: 
>>> http://squeezesetup.wordpress.com/install-mail-part-2-gmail-certs/
>> 
>>> 
>> these instructions appear to be for Linux and not FreeBSD and there
>> are configuration and path differences, which is probably the core
>> of my problem. I expect that I have not installed the root certs
>> into the correct directory (but they are in the directory that
>> c_rehash is working in).
>> 
>> 
> 
> My guess is that you're using the c_rehash supplied with OpenSSL 1.x
> (installed as a port?) to hash the certs and then the OpenSSL 0.9.x
> binary from the base system to connect to the Gmail POP server.
> 
> Give your s_client command another try with the fully specified path
> to the OpenSSL 1.x binary to see if that corrects the verification error.

That appears to be the problem, using /usr/local/bin/openssl works, but I still need to know where the base system needs to have the certs placed (and how to hash them as the only c_rehash script is the one that came with the port of openssl) ? There are a number of utilities (most important here is fetchmail) which is using the base opensssl libraries.

NOTE: I did not explicitly install the openssl port, it must have been brought in as a dependency by another port.

--
Paul Kraus
Deputy Technical Director, LoneStarCon 3
Sound Coordinator, Schenectady Light Opera Company